Automating password changes 1

[Stairwick]

I wrote a script that added 400 users to a new system. I now need to set up their passwords to the same generic password so that when they login for the first time it will ask them to change it. I don't want to go in and manually set the same generic password for 400 users. Is there a way I can write a script using passwd or pwdadm to save me time?

Thanks,
Eric

 

[columb]

In a word - no. There was a good tool available on the Bull Freeware web site which worked a treat on AIX 4.3.3 but doesn't on AIX 5L.

That said you could
Set a password for one user
Use cut and paste to edit /etc/security/passwd by hand (or even script it if you're brave!). i.e where the stanza says

newuser
    password = *

change this to

newuser
    password = <string copied from known passwd>

Edit /etc/passwd to replace the * in the passwd field to !

If you do this MAKE A MKSYSB FIRST!!!

Columb Healy

 

[hfaix]

and backup /etc/security/passwd and /etc/passwd before you start.

 

[ggauthier]

The method listed by Columb won't force a password change upon the first login. You will need to set the ADMCHG flag.

Here's the syntax:

pwdadm -f ADMCHG account_name

gg

 

[RMGBELGIUM]

It can be done with a program called autopasswd ( I think its sth from the linux world, we have a working version for AIX 5.2).
We used it to set the password for all our users to a default value.

greetz

R.

 

[p5wizard]

I wrote a C program myself for this taks way back in AIX 4.2, it still seems to work fine in AIX 5L

It uses putuserattr/putuserpwhist system calls

autopasswd is probably similar.

p5wizard

 

[columb]

RMBELGIUM I believe autopasswd uses expect which I'm not allowed to install. If you're allowed expect then the world is your oyster (after a little learning)

p5wizard I would be grateful if you could post your code. This could be the answer to a lot of my problems!

Columb Healy

 

[p5wizard]

Note:

cryptpas works fine in 5.3, but initpass only works up to 5.2 - dumps core in 5.3 ...
I will have to modify it for 5.3 if/when I get around to it...
Of course, given only cryptpas, you could write a sed- or ed-based script to edit the /etc/passwd line and add the /etc/security/passwd stanza for a given user.

first code:

encrypt a given password using a specified salt code or pseudorandomly chosen salt parameter

cryptpas.c

#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>

char     salts[] =
            "azertyuiopqsdfghjklmwxcvbn.0123456789/NBVCXWMLKJHGFDSQPOIUYTREZA";
int      maxsalt = sizeof (salts) - 2;

time_t   T;
time_t  *Tp = &T;

int      P;
int      seed;

main(int argc, char *argv[])
{
  char pass[8];
  char salt[2];
  strncpy (pass, argv[1], 8);

  if (argc == 3)
  {
    strncpy (salt, argv[2], 2);
  }
  else
  {
    T = time (Tp);
    P = getpid();
    seed = T % 32768 + P;

    srandom (seed);
    salt[0] = salts[random() % maxsalt];
    salt[1] = salts[random() % maxsalt];
  }

  fprintf (stdout, "%s\n", crypt (pass, salt));
}

second code: set password entry for a given user

initpass.c

# pg initpass.c 
#include <stdio.h>
#include <usersec.h>
#include <userpw.h>
#include <pwd.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/types.h>

char            usernam[10];
char            passwrd[64];
long            lastupd;
uid_t           usernam_uid;
struct passwd   pw;
struct passwd  *pwp = &pw;
struct userpw   upw;
struct userpw  *upwp = &upw;
char            msg[16][256];
char          **msgp;
char            hostnam[256];

time_t          T;
time_t         *Tp = &T;

main(int argc, char *argv[])
{
  /* * *
   * usage: initpass user password
   * only root may run this program
   * * */
  if (argc != 3)
  {
    fprintf (stderr, "Usage: initpass user password\n");
    exit (1);
  }
  strcpy (usernam, argv[1]);
  strcpy (passwrd, argv[2]);
  lastupd = (long) time (Tp);
  gethostname (hostnam, 256);
  hostnam[255] = '\0';

  if ((getuid()) != 0)
  {
    fprintf (stderr, "Only accessible to root!\n");
    exit (2);
  }

  if ((setuserdb (S_WRITE)) != 0)
    perror ("setuserdb write");

  if ((setpwdb (S_WRITE)) != 0)
    perror ("setpwdb write");

  if ((getuserattr (usernam, S_ID, &usernam_uid, SEC_INT)) != 0)
  {
    if (errno == ENOENT)
    {
      fprintf (stderr, "Error: user %s does not exist on %s.\n",
                                    usernam,             hostnam);
    }
    exit (3);
  }
  if ((putuserattr (usernam, S_PWD, "!", SEC_CHAR)) != 0)
  {
    perror ("putuserattr");
    exit (4);
  }
  if ((putuserattr (usernam, S_ID, "0", SEC_COMMIT)) != 0)
  {
    perror ("putuserattr commit");
    exit (5);
  }

  strcpy (upw.upw_name, usernam);
  upw.upw_passwd = passwrd;
  upw.upw_lastupdate = lastupd;
  upw.upw_flags = PW_ADMCHG;
  if ((putuserpwhist (upwp, msgp)) != 0)
  {
    perror ("putuserpwhist");
    exit (6);
  }

  if ((enduserdb ()) != 0)
  {
    perror ("enduserdb");
    exit (7);
  }

  if ((endpwdb ()) != 0)
  {
    perror ("endpwdb");
    exit (8);
  }
}

usage:
encr_pwd=$(cryptpas <any_password>)
initpass <user_id> ${encr_pwd}

example:
mkuser newuser
initpass newuser $(cryptpas initial)

AIX Version 5
(C) Copyrights by IBM and by others 1982, 2002.
login: newuser
newuser's Password: initial
3004-610 You are required to change your password.
Please choose a new one.

newuser's New password:


disclaimer:
use at your own risk (i.e. backup /etc/passwd and /etc/security/passwd first!)

Gr.

 

[p5wizard]

ahem...

uninitialized pointer (glad I saw it before someone else rubbed my nose in it...)


in initpass.c:

change

char **msgp;

into

char **msgp = (char **)&(msg[0]);

and it should work fine - also on 5.3 , tried it myself

 

[columb]

p5wizzard

Thanks - I've just checked this on AIX 5.1 and it has solved a long standing problem I've had where the Help Desk operators on one system need to be able to change passwords on up to eight systems simultaneously. This plus ssh plus sudo and I've cracked it!

Columb Healy